SRX

last person joined: 9 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Transparent Mode Clustering

    Posted 09-02-2015 07:55

    I'm working with a client looking to replace transparent mode ASA's with SRXs

     

    Have searched for config guide detailing the build procedure, but seems to be limited documentation out there.

     

    Any pointers would be really appreciated !



  • 2.  RE: Transparent Mode Clustering

     
    Posted 09-02-2015 10:50

    Hello Ajaz,

     

    Is it a Branch SRX or a High End SRX?

     

    Following link (PDF page number 23) given a complete configuration of SRX Active/Passive Cluster in Transparent Mode.

     

    http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/SRX%20High%20Availability%20Deployment%20Guide.pdf

     

    Regards,

     

    Rushi



  • 3.  RE: Transparent Mode Clustering

    Posted 11-09-2015 06:31
    Forgive my question, how can I know if a SRX FW is branch or HE? This is HW related or SW/license related?

    Is there a specific show command that can answer my original question?

    Thanks in advance!


  • 4.  RE: Transparent Mode Clustering

    Posted 11-09-2015 06:36

    Hope this helps.

     

    https://www.juniper.net/us/en/local/pdf/datasheets/1000281-en.pdf

     

    all the best !



  • 5.  RE: Transparent Mode Clustering
    Best Answer

     
    Posted 09-02-2015 11:15

    Hello Ajaz,

     

    Sample configuration is as below (On SRX240):

     

    1) To enable cluster:

    On device A:
    set chassis cluster cluster-id 1 node 0 reboot

    On device B:
    set chassis cluster cluster-id 1 node 1 reboot

     

    2) Define group for Node specific configuration & apply it. Includes configuring Management IPs.

    On device A:
    {primary:node0}
    set groups node0 system host-name <name-node0> -Device A's host name
    set groups node0 interfaces fxp0 unit 0 family inet address <ip address/mask> -Device A's management IP address on fxp0 interface
    set groups node1 system host-name <name-node1> -Device B's host name
    set groups node1 interfaces fxp0 unit 0 family inet address <ip address/mask -Device B's management IP address on fxp0 interface
    set apply-groups "${node}"

     

    3) Configuring Fabric links. No specific command for control links on branch as for every platform specific predefined interfaces become control port automatically.

    On device A:
    {primary:node0}
    *fab0 is node0 (Device A) interface for the data link
    set interfaces fab0 fabric-options member-interfaces ge-0/0/2

    *fab1 is node1 (Device B) interface for the data link
    set interfaces fab1 fabric-options member-interfaces ge-5/0/2

     

    4) Redundancy Group Configuration for RG0 & RG1 with node specific priorities to decide who will be master & who will be backup.

    On device A:
    {primary:node0}
    set chassis cluster redundancy-group 0 node 0 priority 100
    set chassis cluster redundancy-group 0 node 1 priority 1
    set chassis cluster redundancy-group 1 node 0 priority 100
    set chassis cluster redundancy-group 1 node 1 priority 1

     

    5) Interface configuration in Layer 2 Mode:

    a) In access mode:

    On device A:
    {primary:node0}
    set chassis cluster reth-count 2
    set interfaces ge-0/0/4 gigether-options redundant-parent reth0
    set interfaces ge-0/0/3 gigether-options redundant-parent reth1
    set interfaces ge-5/0/4 gigether-options redundant-parent reth0
    set interfaces ge-5/0/3 gigether-options redundant-parent reth1
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 unit 0 family bridge interface-mode access
    set interfaces reth0 unit 0 family bridge vlan-id 50
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family bridge interface-mode access
    set interfaces reth1 unit 0 family bridge vlan-id 50

    b) In Trunk Mode:

    On device A:
    {primary:node0}
    set chassis cluster reth-count 2F
    set interfaces ge-0/0/4 gigether-options redundant-parent reth0
    set interfaces ge-0/0/3 gigether-options redundant-parent reth1
    set interfaces ge-5/0/4 gigether-options redundant-parent reth0
    set interfaces ge-5/0/3 gigether-options redundant-parent reth1
    set interfaces reth0 redundant-ether-options redundancy-group 1
    set interfaces reth0 vlan-tagging
    set interfaces reth0 native-vlan-id 10
    set interfaces reth0 unit 0 family bridge interface-mode trunk
    set interfaces reth0 unit 0 family bridge vlan-id-list 50-60
    set interfaces reth1 redundant-ether-options redundancy-group 1
    set interfaces reth1 unit 0 family bridge interface-mode trunk
    set interfaces reth1 unit 0 family bridge vlan-id-list 50-60
    set interfaces reth1 vlan-tagging
    set interfaces reth1 native-vlan-id 10

     

    6) Zone configuration:

    set security zones security-zone untrust interfaces reth0.0
    set security zones security-zone trust interfaces reth1.0

     

    Bridge domains can be configured using link below:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421

     

    Security policies, NAT, Routing etc. should be configured as per requirement.

     

    Regards,

     

    Rushi

     

     



  • 6.  RE: Transparent Mode Clustering

    Posted 09-02-2015 14:40

    Awesome !

    We are considering SRX550 which as you know is classed as branch.

    thank you Smiley Happy